Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rust call analysis #452

Merged
merged 25 commits into from
Aug 15, 2023
Merged

Rust call analysis #452

merged 25 commits into from
Aug 15, 2023

Conversation

another-rex
Copy link
Collaborator

@another-rex another-rex commented Jul 27, 2023

Support rust for call analysis, the current version is fully working for any rust binary or library that can be built with cargo build

Part of #476

TODO:

  • Figure out what if anything is wrong with the go analysis (Nothing is wrong, added another test for the future)
  • Add documentation to rust call analysis
  • Add tests
    • extractRlibArchive
    • ar
    • rustBuildSource integration test

Limitations: #464

@another-rex another-rex requested a review from oliverchang July 27, 2023 01:15
Copy link
Collaborator

@oliverchang oliverchang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice! can you please add a simple test as well?

internal/sourceanalysis/ar/reader.go Outdated Show resolved Hide resolved
internal/sourceanalysis/rust.go Outdated Show resolved Hide resolved
func cleanRustFunctionSymbols(val string) string {
// Used to remove generics from functions and types as they are not included in function calls
// in advisories:
// E.g.: `smallvec::SmallVec<A>::new` => `smallvec::SmallVec::new`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should start a discussion here if the data can be formatted in a more convenient way to begin with?

Regex seems potentially very error prone here.

internal/sourceanalysis/rust.go Outdated Show resolved Hide resolved
internal/sourceanalysis/rust.go Show resolved Hide resolved
internal/sourceanalysis/rust.go Outdated Show resolved Hide resolved
internal/sourceanalysis/rust.go Show resolved Hide resolved
internal/sourceanalysis/rust.go Outdated Show resolved Hide resolved
internal/sourceanalysis/rust.go Show resolved Hide resolved
@another-rex another-rex mentioned this pull request Aug 2, 2023
2 tasks
@another-rex another-rex requested a review from hayleycd August 2, 2023 06:02
Copy link
Collaborator

@hayleycd hayleycd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to see a sample SCA output for the docs.

docs/output.md Outdated Show resolved Hide resolved
docs/output.md Outdated
```

**Rendered:**

| OSV URL | CVSS | Ecosystem | Package | Version | Source |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So when I saw that there were changes in the output file, I was hoping to see output from the SCAs. How does the Go & Rust output look different from the standard ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some examples and JSON comments explaining the output more thoroughly.

Copy link
Collaborator

@oliverchang oliverchang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

As discussed offline, let's raise some data formatting (re the remaining open comment on the PR around generics) and consistency issues (e.g. macros) with the upstream RustSec folks. It would be nice to show osv-scanner as an example tool that can leverage the DB to its full extent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants